BEWARE: Hackers Found Using Windows Event Logs to Hide Malware

Hackers have found a new way to hide malware through a technique which experts have described as "impressive." Experts discovered that hackers have been using Windows event logs as a place to hide their malware.

Hackers Used a New Technique to Hide Malware in Windows Event Logs

According to the story by TechRadar, the new technique is the first of its kind wherein hackers used a "custom malware dropper" in order to inject a malware that does not have a file into Windows event logs.

The malware was strategically positioned in not just any logs but rather logs that are specifically for Key Management Services (KMS). Kaspersky cybersecurity researchers were the first to spot this brand new technique after a customer said that they have had an enpoint injected.

Tools within the Campaign Were Described as Commercial and/or Custom-Built

According to the researchers, the whole campaign is designed to be very targetted and "deploys a large set of tools." The tools used were found to be commercial and/or even custom-built for the specific attack.

Denis Legezo from Kasperky announced that it was the very first time that hackers used this type of technique. Legezo said that the use of the Windows event logs for malware were spotted out of nowhere.

How the Malware is First Hidden in the Windows Event Logs

The malware dropper works by first coppying WerFault.exe (the official error handling file on the operating system) and putting it in the C:11Windows1Task folder. Once in, an encrypted binary resource will then be added to Wer.dll into the same space.

The Wer.dll or Windows Error Reporting search order will then be hijacked and hackers can then load the system with malicious code. As per Legezo, the loader's purpose is to scan the event logs and look for specific lines.

Hackers Write Pieces of Encrypted Shellcode Which Turns Into Malware

If no lines can be found, the hackers will then "write pieces of encrypted shellcode" which in turn result in the malware. The malware can then be used later on in the attack's next stage.

This means that the wer.dll will work as a loader and without the Windows event logs with the shellcode, the malware won't be able to do a lot of harm. Legezo said that the whole technique was impressive referring to how unique the hackers tried to target the systems.

Read Also: Ferrari's Website Launched a Fake NFT Collection After Getting Hacked! How Much Was Stolen?

Hints Point Towards APT Attacker but Specific Hacking Group Remains Unknown

According to Legezo, the hackers could be skilled and have a good arsenal of profound commercial tools. The statement given by Legezo, according to TechRadar, hinted towards "an APT attacker."

As of press time, no fingers have been pointed as to who the threat actor is. Researchers, however, said that the campaign already started back in September of last year. Due to there being no similarities to the other previous attacks, however, Tech Radar said that this could mean the hackers could be new players.

Related Article: OpenSea's Discord Got Hacked to Spread YouTube NFT Scam! $18K Worth Stolen?

This article is owned by Tech Times

Written by Urian B.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics